Re: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3
Watson Ladd <watsonbladd@gmail.com> Fri, 08 November 2013 06:34 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA0DB21E81C9 for <tls@ietfa.amsl.com>; Thu, 7 Nov 2013 22:34:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.547
X-Spam-Level:
X-Spam-Status: No, score=-2.547 tagged_above=-999 required=5 tests=[AWL=0.053, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QiZBXYalvkvo for <tls@ietfa.amsl.com>; Thu, 7 Nov 2013 22:34:17 -0800 (PST)
Received: from mail-we0-x235.google.com (mail-we0-x235.google.com [IPv6:2a00:1450:400c:c03::235]) by ietfa.amsl.com (Postfix) with ESMTP id CF7C421E80A1 for <tls@ietf.org>; Thu, 7 Nov 2013 22:34:16 -0800 (PST)
Received: by mail-we0-f181.google.com with SMTP id t60so1509192wes.40 for <tls@ietf.org>; Thu, 07 Nov 2013 22:34:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=QRa8iteksSuc5KT3vXcpvLnHGn4/IWgeW0/EVPG/MI8=; b=fcBJP/5EyjZynz8t+rPTRqau6m4MpvjV91oS/tLmWFxqlkrDCPuSrdtUXuGi4RFBrF Pvh4FkpkhozQ2SYjhJeOEcwrLI+f7sGDJGhnQq2OyfVmpMAK6x6BWi4fy4QkSblH5yhn TB6SS/ajJcgFaGmgclvjX632lXOQhdSvOJjJ/JMYzvIsqrh8i2r+tXBwc+i/hGJ2DSoR tGSvugIewjcTxKXDtwaY1V6QVQQbqvqp3ppRv7FV+h435E8cxLAmyT33dabyPzUa/kpW 6qZoXRfKvTE7CUPZ9qnNPw3ibChK1uwi5bPEZ/7ATt2X2AzPRZy7Yev93gFVnkS60GvM dCKA==
MIME-Version: 1.0
X-Received: by 10.194.93.105 with SMTP id ct9mr10770311wjb.6.1383892455703; Thu, 07 Nov 2013 22:34:15 -0800 (PST)
Received: by 10.194.242.131 with HTTP; Thu, 7 Nov 2013 22:34:15 -0800 (PST)
In-Reply-To: <CA+BZK2o411meJDkLwnwOudrkr-G_eWeFx0tirLhUCoSnKsddEg@mail.gmail.com>
References: <CA+BZK2q_f_JrdkdJRC1MirPH2yzRL2Y_28fi4e2MGdc5Uxnksg@mail.gmail.com> <20131107200815.F24AB1AA69@ld9781.wdf.sap.corp> <CA+BZK2o411meJDkLwnwOudrkr-G_eWeFx0tirLhUCoSnKsddEg@mail.gmail.com>
Date: Thu, 07 Nov 2013 22:34:15 -0800
Message-ID: <CACsn0cmoiQph7mSfTxsKs+O-9iRYAVeHcp73tCuVuCyofi5oMg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Ralf Skyper Kaiser <skyper@thc.org>
Content-Type: text/plain; charset="UTF-8"
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Nov 2013 06:34:17 -0000
On Thu, Nov 7, 2013 at 1:39 PM, Ralf Skyper Kaiser <skyper@thc.org> wrote: > Hi, > > For TLS 1.3 there can be a solution that the SNI is never send in clear. > > The downgrade attack to TLS 1.2 is possible and would trigger the SNI to be > send in clear again. > (It requires an active attack). Why wasn't this fixed years ago? The client should indicate the highest offered version when falling back, and the server should signal if there is a problem. This was an issue with SSL 3.0 and TLS 1.0. It's still an issue today because SSL 3.0 is still out there. > > We need the backward compatibility (from TLS 1.3 to TLS 1.2) for the > foreseeable future. That does not > mean that we should continue with the same flaws in 1.3 that we have in > previous TLS versions. > > regards, > > ralf > > > > On Thu, Nov 7, 2013 at 8:08 PM, Martin Rex <mrex@sap.com> wrote: >> >> Ralf Skyper Kaiser wrote: >> > >> > On Thu, Nov 7, 2013 at 7:46 PM, Yoav Nir <ynir@checkpoint.com> wrote: >> > > >> > > IMO, if both sites are either collocated on the same machine, or >> > > hosted >> > > behind the same SSL accelerator, they already share enough that >> > > multi-SAN >> > > is not a bad thing. >> > > >> > > With SNI is it currently stands, the site you are looking for is sent >> > > in >> > > the clear. If we keep the choose-certificate functionality in 1.3, we >> > > still >> > > leave it exposed in either the SNI or in the certificate that the >> > > server >> > > sends. A generic certificate is the only one that hides what the >> > > client is >> > > browsing. >> > > TLS mailing list >> > > >> > >> > No, SNI can be send encrypted in TLS 1.3 with 'Reduced RT with Privacy' >> > as >> > presented by Eric yesterday. Key Exchange is done before SNI is send and >> > auth is done as last. (What's now cleartext would then require >> > detectable-active attack). >> >> I'm sorry, but I firmly believe this will be pure and useless obscurity >> coming at a high cost. >> >> The amount of "activity" for the attack is minuscule (just tear down >> the connection when you see the TLSv1.3 client hello -- the client >> *WILL* reconnect with SNI in the clear. For the NSA, this is trivial, >> they're actively doing stuff like this on a regular basis (Foxacid). >> >> There are already lots of sites and lots of middle-boxes that cause >> errors like this in a non-malicious fashion, that "detecting" such >> an error is only going to annoy users, but not provide any benefit. >> >> For those negligible situation where there might be any theoretical >> benefit at all, it would be possible to define a seperate TLS extension >> with the properties you're looking for, rather than messing up SNI. >> >> -Martin >> > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- [TLS] Final nail in the coffin for cleartext SNI/… Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Watson Ladd
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Yoav Nir
- Re: [TLS] Final nail in the coffin for cleartext … Salz, Rich
- Re: [TLS] Final nail in the coffin for cleartext … Ryan Hurst
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Daniel Kahn Gillmor
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Yoav Nir
- Re: [TLS] Final nail in the coffin for cleartext … Yoav Nir
- Re: [TLS] Final nail in the coffin for cleartext … Seth David Schoen
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Watson Ladd
- Re: [TLS] Final nail in the coffin for cleartext … Salz, Rich
- Re: [TLS] Final nail in the coffin for cleartext … Yoav Nir
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Michael D'Errico
- Re: [TLS] Final nail in the coffin for cleartext … Jacob Appelbaum
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Michael D'Errico
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Sean Leonard
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Juho Vähä-Herttua
- Re: [TLS] Final nail in the coffin for cleartext … Yoav Nir
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Phillip Hallam-Baker
- Re: [TLS] Final nail in the coffin for cleartext … Daniel Kahn Gillmor
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Daniel Kahn Gillmor
- Re: [TLS] Final nail in the coffin for cleartext … Juho Vähä-Herttua
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Yoav Nir
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Bodo Moeller
- Re: [TLS] Final nail in the coffin for cleartext … Marsh Ray
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Geoffrey Keating